b'                            OFFICE OF\n                     THE INSPECTOR GENERAL\n\n\n                         U.S. NUCLEAR\n                    REGULATORY COMMISSION\n\n\n                   Review of NRC\xe2\x80\x99s Personnel Security\n                Program Contractor Policies and Practices\n\n\n                    OIG-04-A-02         November 5, 2003\n\n\n\n\n                       AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                            November 5, 2003\n\n\n\n\nMEMORANDUM TO:               William D. Travers\n\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     REVIEW OF NRC\xe2\x80\x99S PERSONNEL SECURITY PROGRAM\n                             CONTRACTOR POLICIES AND PRACTICES (OIG-04-A-02)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Review of NRC\xe2\x80\x99s Personnel\nSecurity Program Contractor Policies and Practices.\n\nAuditors found that (1) NRC employees do not consistently implement the established\ncontractor access policy and procedure requirements and (2) NRC does not act expeditiously to\nresolve access decisions pertaining to IT contractors when issues are reflected in the\nbackground investigation conducted by the Office of Personnel Management (OPM).\nFurthermore, because NRC does not screen OPM investigation results upon receipt to\ndetermine issue significance, cases that may warrant expedited resolution or immediate action\ncannot be identified for such treatment.\n\nThe report makes 10 recommendations to strengthen controls over the personnel security\nprogram with regard to contractor access to NRC headquarters and regional office facilities and\ninformation.\n\nDuring an exit conference on September 26, 2003, NRC officials provided comments\nconcerning the draft audit report. OIG incorporated these comments, as appropriate, into the\nreport. NRC officials reviewed the modifications and opted not to submit formal written\ncomments to this final version of the report.\n\nIf you have any questions, please contact Stephen D. Dingbaum, Assistant Inspector General\nfor Audits, at 415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\ncc:     William Dean, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB.J. Garrick, ACNW\nM. Bonaca, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nE. Merschoff, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDH/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nJ. Dyer, NRR\nG. Caputo, OI\nP. Bird, HR\nC. Kelley, SBCR\nM. Virgilio, NMSS\nS. Collins, DEDR\nA. Thadani, RES\nP. Lohaus, STP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, NSIR\nR. Wessman, IRO\nH. Miller, RI\nL. Reyes, RII\nJ. Caldwell, RIII\nB. Mallett RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                         Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n\n          Most Nuclear Regulatory Commission (NRC) contractor employees are required\n          to obtain approval through the agency\xe2\x80\x99s personnel security process prior to\n          beginning work for the agency. Contractors receive one of three types of\n          access: (1) classified access, which permits them to work with classified\n          information; (2) information technology (IT) access, which permits them to work\n          with NRC sensitive IT systems and information, and (3) building access, which\n          allows them continuous unescorted access within headquarters or regional office\n          facilities. Approval for access to these three levels is based on a background\n          investigation conducted by the Office of Personnel Management (OPM) or the\n          General Services Administration. Contractors are often granted temporary\n          access before the background investigation is completed.\n\n    PURPOSE\n\n          The audit objectives were to determine (1) whether NRC policies for contractor\n          employee access to agency information and facilities are being implemented and\n          (2) whether the contractor temporary access process meets its goal of expediting\n          contractor employment without jeopardizing NRC safety and security.\n\n    RESULTS IN BRIEF\n\n          Personnel security program weaknesses pertaining to contractor access to NRC\n          headquarters and regional office facilities could be placing the agency\xe2\x80\x99s\n          information, facilities, and staff at risk. Specifically, program requirements are\n          not consistently followed and the agency lacks a process for expeditiously\n          resolving final access decisions for IT contractors with temporary access when\n          issues are reflected in the OPM background investigation.\n\n          Contractor Personnel Security Program Requirements Are Inconsistently\n          Followed\n\n          NRC employees do not consistently implement the established contractor access\n          policy and procedure requirements. OIG reviewed documentation and\n          interviewed NRC project officers associated with 17 contracts and determined\n          that contrary to NRC guidance and policy:\n\n          \xe2\x80\x9a      Contractors were working prior to review and adjudication for temporary\n                 access by the Division of Facilities and Security (DFS).\n          \xe2\x80\x9a      Contractors were escorting other contractors without approval to do so.\n          \xe2\x80\x9a      Contractors with only building access had access to the NRC computer\n                 network.\n          \xe2\x80\x9a      Contractors working offsite with sensitive information had not been\n                 approved for IT access.\n\n                                             i\n\x0c                    Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n     \xe2\x80\x9a      Security infractions were not consistently administered for contractor\n            related security violations.\n\n     These lapses occur because NRC\xe2\x80\x99s personnel security program managers have\n     not effectively documented or communicated contractor security policies to NRC\n     staff expected to carry out these policies. As a result, some contractors are\n     inappropriately given access to NRC facilities and data, potentially jeopardizing\n     agency employees and information. In addition, DFS officials have made policy\n     and procedure changes without formally documenting or providing rationale for\n     those changes.\n\n     Agency Response to IT Temporary Access Issue Cases Is Not Timely\n\n     NRC does not act expeditiously to resolve access decisions pertaining to IT\n     contractors when issues are reflected in the OPM background investigation. As\n     of June 2003, DFS had a total of 80 investigative reports returned from OPM that\n     needed to be reviewed and adjudicated for contractors already working at NRC\n     with temporary access. Of these 80 reports, 70 had issues (i.e., questionable or\n     derogatory background information of varying levels of significance), and 39 of\n     these issue cases had been awaiting adjudication for 5 months or more. This\n     slow response occurs because DFS lacks a process for resolving these cases\n     quickly. Furthermore, because NRC does not screen OPM investigation results\n     upon receipt to determine issue significance, cases that may warrant expedited\n     resolution or immediate action cannot be identified for such treatment.\n\nRECOMMENDATIONS\n\n     This report makes 10 recommendations to the Executive Director for Operations\n     to strengthen controls over the personnel security program with regard to\n     contractor access to NRC headquarters and regional office facilities. A\n     consolidated list of recommendations appears on pages 21 \xe2\x80\x93 22 of this report.\n\nAGENCY COMMENTS\n\n     During an exit conference on September 26, 2003, NRC staff provided\n     comments concerning the draft audit report. We modified the report as we\n     determined appropriate in response to these comments. NRC reviewed these\n     modifications and opted not to submit formal written comments to this final\n     version of the report.\n\n\n\n\n                                       ii\n\x0c                    Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\nABBREVIATIONS AND ACRONYMS\n\n    CFR     Code of Federal Regulations\n    DFS     Division of Facilities and Security\n    FY      Fiscal Year\n    IT      information technology\n    LAN     local area network\n    MD      Management Directive\n    NRC     Nuclear Regulatory Commission\n    OCIO    Office of the Chief Information Officer\n    OGC     Office of the General Counsel\n    OIG     Office of the Inspector General\n    OPM     Office of Personnel Management\n    SCIF    sensitive compartmentalized information facility\n\n\n\n\n                                       iii\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                   iv\n\x0c                                   Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n    ABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii\n    I.       BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n    II.      PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n    III.     FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n                       A. CONTRACTOR PERSONNEL SECURITY PROGRAM REQUIREMENTS ARE\n                       INCONSISTENTLY FOLLOWED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n                       B. AGENCY RESPONSE TO IT TEMPORARY ACCESS ISSUE CASES IS NOT\n                       TIMELY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11\n    IV.      CONSOLIDATED LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . 17\n    V.       AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n\n    APPENDIXES\n    A.       SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21\n    B.       CONTRACTOR ACCESS APPROVAL PROCESS . . . . . . . . . . . . . . . . . . . . . 23\n\n\n\n\n                                                           v\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                   vi\n\x0c                                     Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\nI. BACKGROUND\n\n                  Government agencies are requesting more security clearances for Federal\n                  workers as part of the Nation\xe2\x80\x99s overall response to the terrorist attacks of\n                  September 11, 2001. In FY 2002, the Office of Personnel Management (OPM)\n                  \xe2\x80\x94 which manages the bulk of these requests \xe2\x80\x94 received almost 2 million\n                  requests for background investigations and other checks for contractors and\n                  employees. That was an increase of nearly 90 percent from the prior fiscal year.\n                  Background investigations serve as a basic protection against espionage or\n                  other misuse of classified and sensitive agency information, occupational fraud\n                  and abuse, and crime in the workplace. Due to a Governmentwide initiative to\n                  increase reliance on Federal contractor employees, the need for background\n                  investigations for these individuals will continue to grow.\n\n                  One purpose of a personnel security background investigation is to determine\n                  whether past behavior is a matter of concern for future reliability. Background\n                  investigations vary in depth based on the type of work the employee or\n                  contractor will be doing. For example, Federal employees needing Confidential,\n                  Secret, and L clearances undergo an Access National Agency Check with\n                  Inquiries, while a Single-Scope Background Investigation is required for Top\n                  Secret and Q clearances.1 Government employees who will not be working with\n                  classified information are required to undergo at least an investigation to assess\n                  their \xe2\x80\x9csuitability\xe2\x80\x9d2 for Federal employment.\n\n                  While the Office of the Inspector General (OIG) did not identify any regulations\n                  concerning suitability for contractors who will not be working with classified\n                  information, an OPM official explained that agencies are expected to hold these\n                  contractors to the same standard as Federal employees. Thus, agencies need\n                  to conduct background investigations appropriate to the level of risk posed by\n                  the contractor\xe2\x80\x99s access to agency facilities or information.\n\n\n\n\n         1\n         To work with Confidential, Secret, or Top Secret classified information, individuals must receive at least the\ncorresponding level of security clearance (i.e., Confidential, Secret, Top Secret). Pursuant to the Atomic Energy Act,\nNRC uses a separate system; employees either receive an L clearance, which equates to a Confidential or Secret\nclearance, or a Q clearance, which equates to a Top Secret clearance.\n         2\n          According to Title 5, Part 731, Code of Federal Regulations (5 CFR Part 731), \xe2\x80\x9cSuitability,\xe2\x80\x9d the\ndetermination of suitability for Federal employment is based on an individual\xe2\x80\x99s character or conduct that may have\nan impact on the integrity or efficiency of the service. These determinations of suitability for Federal employment are\ncharacterized in 5 CFR Part 731 as different than determinations of eligibility for assignment to sensitive national\nsecurity positions.\n\n                                                          1\n\x0c                                       Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n                    NRC Contractor Security Requirements\n\n                    In accordance with legislative requirements and agency policy, most contractor\n                    employees3 working for the agency are required to undergo NRC\xe2\x80\x99s personnel\n                    security process prior to beginning work for NRC. Under these requirements, (1)\n                    contractors working with classified information or in positions of high public trust\n                    (e.g., security guard) must be approved for Q or L access authorization,4 (2)\n                    contractors with access to NRC sensitive information technology (IT) systems\n                    and information must be approved for information systems access5 (referred to\n                    in this report as IT access), and (3) contractors who require continuous\n                    unescorted access within headquarters or regional office facilities (but do not\n                    need IT access) must be approved for building access. Currently, there are\n                    approximately 960 contractors working for headquarters and regional office\n                    facilities. Approximately 90 have either Q or L access authorizations, while the\n                    remainder have either IT or building access.6\n\n                    The Contractor Access Process\n\n                    The process for granting IT and building access to contractors involves two\n                    phases: (1) a temporary access phase, which allows a contractor to begin work\n                    prior to a final access determination and (2) a final access phase, which is based\n                    on a more indepth background investigation. (See Appendix B for a flow chart\n                    depicting this process.) Each phase involves an evaluation \xe2\x80\x94 referred to as\n                    adjudication \xe2\x80\x94 of background information about the contractor employee.\n                    Division of Facilities and Security (DFS) staff adjudicate cases based on a set of\n                    guidelines used to assess individuals who work with classified information. DFS\n                    staff explained that when a contractor\xe2\x80\x99s background raises questions based on\n\n\n\n\n         3\n          Contractors who will be working for 30 days or less at the headquarters or regional office facilities (e.g.,\npest control, specialty electrician) and do not need access to sensitive IT systems or data are not required to\nundergo a personnel security review. However, these contractors must be issued visitor badges on a daily basis and\nmust be escorted by an NRC employee the entire time they are working in NRC facilities. In addition, contractors\nworking offsite with non-sensitive NRC data are not currently required to undergo a personnel security review.\n         4\n           The term access authorization is defined in Title 10, Part 10, Code of Federal Regulations (10 CFR Part\n10), \xe2\x80\x9cCriteria and Procedures for Determining Eligibility for Access to Restricted Data or National Security\nInformation or an Employment Clearance,\xe2\x80\x9d as an administrative determination that a prospective or current NRC\nemployee or contractor is eligible for a security clearance for access to Restricted Data or National Security\nInformation. For practical purposes, this term is interchangeable with \xe2\x80\x9csecurity clearance.\xe2\x80\x9d\n         5\n            The term access is not defined or even used in 10 CFR Part 10, but appears in NRC Management\nDirective and Handbook 12.3 (MD 12.3), \xe2\x80\x9cNRC Personnel Security Program,\xe2\x80\x9d in connection with IT Level I, IT Level\nII, and building access contractors. Agency legal staff advised that the term access is not defined in 10 CFR Part 10\nor MD 12.3, but is meant to convey the standard Webster\xe2\x80\x99s dictionary definition of the word (i.e., permission, liberty,\nor ability to enter, approach, communicate with, or pass to and from).\n         6\n             DFS could not easily provide a breakdown of contractors with IT access versus building access.\n\n                                                           2\n\x0c                 Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nthe guidelines, such questions are referred to as issues. The staff will attempt to\nresolve \xe2\x80\x94 or mitigate \xe2\x80\x94 these issues by considering, for example, when the\nproblems occurred, their seriousness, and if they have been or are being\nresolved.\n\nDuring the temporary access phase, DFS staff review written personnel security\nbackground information provided by the prospective contractor and credit and\ncriminal histories for these individuals. Based on the staff\xe2\x80\x99s adjudication of this\ninformation, a DFS branch chief grants (or denies) temporary access allowing\nthe contractor to begin work, unescorted, in the headquarters or regional office.\n\n\nThe second phase of\nNRC\xe2\x80\x99s security process     NRC Guidelines for Determining Eligibility for\noccurs following the       Access\napproval for temporary     Guidelines used by DFS staff to assess contractors for\naccess. In this phase,     temporary and final access approval appear in Title\nDFS requests from          10, Part 10, Code of Federal Regulations (10 CFR\neither OPM (for IT         Part 10), \xe2\x80\x9cCriteria and Procedures for Determining\n                           Eligibility for Access to Restricted Data or National\naccess) or the General     Security Information or an Employment Clearance.\xe2\x80\x9d\nServices Administration    These guidelines assess the individual\xe2\x80\x99s loyalty to the\n(for building access) a    United States and whether he or she could be\nmore comprehensive         susceptible to pressure to act against the interests of\n                           national security. Items to be assessed include\nbackground                 whether the individual:\ninvestigation. When\nthese background           \xe2\x80\x9a          Has a history of financial problems.\ninvestigation results      \xe2\x80\x9a          Provided false information on the personnel\n                                      security questionnaire.\nare returned (several      \xe2\x80\x9a          Uses alcohol excessively.\nmonths to more than a      \xe2\x80\x9a          Uses illegal narcotics.\nyear after the request     \xe2\x80\x9a          Has a background suggesting criminal\nis made), DFS staff                   tendencies, poor judgment, unreliableness, or\n                                      untrustworthiness.\nreview and adjudicate      \xe2\x80\x9a          Knowingly established or continued a\nthe information. Based                sympathetic association with a representative\non this second review,                for a foreign nation whose interests may be\nthe DFS Security                      contrary to the interests of the U.S.\nBranch Chief makes a\ndetermination to either\ngrant or deny final\naccess to these contractors.\n\nRecent DFS Efforts To Improve Controls\n\nDFS staff and managers described various efforts made over the past several\nyears to improve controls over contractor access to NRC facilities and\ninformation. These efforts included issuing several memoranda from the Office\nof Administration to office directors urging compliance with agency access\n\n                                     3\n\x0c                        Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n         requirements, presenting a security segment in NRC\xe2\x80\x99s project officer training,\n         issuing security infractions to project officers who violate the MD requirements,\n         and meeting with project officers and their managers to discuss concerns\n         relating to contractor access. According to the DFS Director, these efforts have\n         caused a significant reduction in the number of contractors working in the\n         headquarters buildings on an escorted basis without prior security review.\n         Furthermore, he noted, there has been no recent evidence of theft or\n         compromise of information related to contractors.\n\n\nII. PURPOSE\n\n         The audit objectives were to determine (1) whether NRC policies for contractor\n         employee access to information and facilities are being implemented and (2)\n         whether the contractor temporary access process meets its goal of expediting\n         contractor employment without jeopardizing NRC safety and security. These\n         objectives were derived as part of OIG\xe2\x80\x99s overall review of the efficiency and\n         effectiveness of NRC\xe2\x80\x99s personnel security program, which is still in process.\n\n\n\n\n                                           4\n\x0c                                   Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\nIII. FINDINGS\n\n                 Personnel security program weaknesses pertaining to contractor access to NRC\n                 headquarters and regional office facilities could be placing the agency\xe2\x80\x99s\n                 information, facilities, and staff at risk. Specifically, program requirements are\n                 not consistently followed and the agency lacks a process for expeditiously\n                 resolving final access decisions for IT contractors with temporary access when\n                 issues are reflected in the OPM background investigation.\n\n\n        A. CONTRACTOR PERSONNEL SECURITY PROGRAM REQUIREMENTS ARE\n        INCONSISTENTLY FOLLOWED\n\n                 NRC employees do not consistently implement the established contractor access\n                 policy and procedure requirements. OIG reviewed documentation and\n                 interviewed NRC project officers associated with 17 contracts and determined\n                 that contrary to NRC guidance and policy:\n\n                 \xe2\x80\x9a       Contractors were working prior to review and adjudication for temporary\n                         access by DFS.\n                 \xe2\x80\x9a       Contractors were escorting other contractors without approval to do so.\n                 \xe2\x80\x9a       Contractors with only building access had LAN7 accounts.\n                 \xe2\x80\x9a       Contractors who had not been approved for access were working offsite\n                         with sensitive information.\n                 \xe2\x80\x9a       Security infractions were not consistently administered for contractor\n                         related security violations.\n\n                 These lapses occur because NRC\xe2\x80\x99s personnel security program managers have\n                 not effectively documented or communicated policies concerning contractors to\n                 NRC staff expected to carry out these policies. As a result, some contractors are\n                 inappropriately given access to NRC facilities and data, potentially jeopardizing\n                 agency employees and information. In addition, DFS officials have made policy\n                 and procedure changes without formally documenting or providing rationale for\n                 those changes.\n\n                 NRC Policy and Procedures\n\n                 NRC has established policy and other requirements to protect information, staff,\n                 and facilities in accordance with laws, Executive orders, and management\n                 directives. Management Directive and Handbook (MD) 12.3, \xe2\x80\x9cNRC Personnel\n                 Security Program,\xe2\x80\x9d contains the policies and procedures establishing a\n                 personnel security program to ensure that determinations of an individual\xe2\x80\x99s\n\n\n        7\n          The Local Area Network (LAN) is a group of computers connected together to share information and\nhardware in a small area.\n\n                                                       5\n\x0c                Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\neligibility for access to information and facilities are in accordance with pertinent\nlaws and other guidance. While some requirements are formalized as policy in\nNRC management directives, others are not. DFS officials convey NRC\npersonnel security program requirements not formalized in the MDs through\nvarious means, such as Yellow Announcements, the NRC Web site, and through\ndiscussion. These policies and requirements address a number of topics,\nincluding when contractors may begin working for the agency, contractor\nescorting requirements, temporary access process steps, DFS\xe2\x80\x99s review of\ncontract security clauses, and the use of NRC\xe2\x80\x99s security infraction program to\naddress noncompliance with requirements.\n\nContractor Security Policies Not Well Documented or Communicated\n\nNRC employees do not consistently follow the established contractor access\npolicy and procedure requirements because these requirements are not well\ncommunicated to staff in written policy or via other means. As a result, some\ncontractors are inappropriately given access to NRC facilities and data, placing\nagency employees and information at risk. In addition, DFS officials have made\npolicy and procedure changes without formally documenting or providing\nrationale for those changes.\n\nOIG reviewed documentation and interviewed NRC project officers associated\nwith 17 contracts and identified 5 types of inconsistencies between policy and\npractice on 7 of the contracts. No single contract reviewed demonstrated all five\ninconsistencies, but some served to illustrate as many as three. The following\nare examples of inconsistencies identified.\n\n        Contractors Working Prior to DFS Approval\n\nNRC allows contractors to begin working for NRC once they are approved by\nDFS. However, 14 contractors working on 4 of the contracts reviewed by OIG\nhad worked prior to or without DFS review and adjudication for temporary\naccess. One example involved a health center contract employee who was\ninappropriately signed in as a visitor for approximately 6 weeks. In this case, the\nNRC project officer had submitted the paperwork to DFS, but such approval had\nnot yet been granted. The project officer explained that he allowed the\ncontractor to come on board prior to DFS approval because he did not want to\nlose the opportunity to employ this individual, whom he felt was highly qualified\nfor the position.\n\nAnother example involved contractors working at headquarters to construct a\nsensitive compartmentalized information facility (SCIF) for storing and discussing\nclassified information. Nine of 10 construction contractors or subcontractors\nwere signed in as visitors to work on the SCIF project. One of these individuals,\nwho worked for 9 days at NRC without having received approval, was then\ndenied access approval because of financial-related criminal conduct in his\n\n                                   6\n\x0c                                     Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n                  background. Moreover, approximately 2 months after another proposed\n                  contractor employee was denied access approval due to a violent criminal\n                  background, the NRC project officer \xe2\x80\x94 who had been informed in writing that\n                  this individual was not to have access to NRC facilities or information \xe2\x80\x94\n                  resubmitted the employee\xe2\x80\x99s name for weekend access.8 In this circumstance, a\n                  DFS official recognized the individual\xe2\x80\x99s name and, consequently, the request\n                  was denied.\n\n                  The DFS Director told OIG that he gave his approval for the SCIF project\n                  contractor employees to be signed in as visitors to work prior to their adjudication\n                  for temporary access because he believed it necessary to expedite work on the\n                  project. He said he conveyed his approval for the visitor sign-ins verbally to the\n                  NRC project officer for the contract, but did not formally document the decision.\n\n                           Contractors Escorting Other Contractors Without Approval\n\n                  NRC requires agency employees to escort short-term contractor employees who\n                  are not required to obtain access approval. However, on three contracts,\n                  contractors who did not have permission escorted at least four such contractors.\n                  The NRC project officers for two of the contracts said they work in offices\n                  situated apart from the areas in which the contractors worked and were unaware\n                  that these violations were occurring. On the third contract, the project officer,\n                  who also worked in an area removed from the contractor work area, explained\n                  that the foreman of the crew had building access approval and could be trusted\n                  to supervise the other contractors. This project officer explained that it would be\n                  inconvenient for NRC staff to have to perform all of the escorting.\n\n                  Although DFS staff occasionally approve contractors to escort other contractors,\n                  this option is not documented in MD 12.3. There are no criteria for who may\n                  grant the approval, what qualifications the contractor should possess in order to\n                  escort, or under what circumstances this permission is granted. Until recently,\n                  DFS did not have a single, up-to-date list of contractors who had been granted\n                  escort permission.\n\n                           Building Access Contractors With LAN Accounts\n\n                  NRC requires IT access for contractors to have NRC LAN accounts. Yet, OIG\n                  identified 10 contractors with only building access (working on three contracts)\n                  who had LAN accounts. Project officers for these contracts were not aware that\n                  this practice was prohibited.\n\n\n\n\n         8\n           While the project officer was advised that the contractor was not permitted to work on the SCIF project, the\nproject officer was not informed of the specific reason for the denial of access.\n\n                                                          7\n\x0c                                     Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n                  MD 12.3 states that IT access is needed for access to NRC sensitive IT systems\n                  and data, but does not specifically mention assignment of LAN accounts. DFS\n                  staff explained that contractors should not have a LAN account unless they have\n                  been approved for IT access. While some project officers were aware of this\n                  requirement, others were not. According to DFS managers, they have made\n                  concerted efforts to communicate the requirements for contractor LAN access to\n                  agency staff and to Office of the Chief Information Officer (OCIO) staff in\n                  particular. They said the situation has improved due to these efforts and\n                  explained that a revised version of Management Directive 12.5, \xe2\x80\x9cNRC Automated\n                  Information Systems Security Program,\xe2\x80\x9d incorporates procedures clarifying that\n                  OCIO will not grant contractors LAN access until receiving verification from DFS\n                  that the appropriate security clearance or IT access had been granted.\n\n                           Contractors Working Offsite With Sensitive Information\n\n                  According to DFS staff, contractors working offsite with sensitive information are\n                  required to be approved for IT access. However, three employees working\n                  offsite on two contracts did not have IT access approval. In one case, an offsite\n                  contractor employee who was working with sensitive information did not have IT\n                  access approval. In another case, an offsite contractor employee who was\n                  supervising onsite contractor employees did not have IT access approval. Yet,\n                  the work performed by the onsite staff required them to have IT access. While\n                  the NRC project officer said the offsite supervisor was not working with systems\n                  information, but was overseeing the contract, the scenario causes OIG to\n                  question the offsite supervisor\xe2\x80\x99s access to sensitive NRC information.\n\n                  The requirement for contractors working offsite with sensitive information is not\n                  clearly stated in MD 12.3. MD 12.3 discusses \xe2\x80\x9caccess to NRC sensitive\n                  information technology systems and data by NRC contractors,\xe2\x80\x9d but does not\n                  clearly state that sensitive data covers more than IT information. As one DFS\n                  official explained, such access approval is required in cases where a breach of\n                  the information protection requirements could have safety and security\n                  implications.\n\n                           Security Infractions Not Consistently Administered\n\n                  Security infractions are used to address some types of noncompliance with\n                  personnel security requirements,9 however, security infractions are not issued\n                  consistently for policy and procedure violations. For example, the project officer\n                  for the SCIF construction effort was not given an infraction after permitting\n                  contractors to begin work prior to review and adjudication for temporary access.\n\n\n         9\n           A security infraction is an administrative action that DFS takes when an employee fails to comply with\nNRC security requirements. DFS staff advised that if an employee receives three security infractions within a year,\nthey can lose their security clearance and, consequently, their job at NRC.\n\n\n                                                         8\n\x0c                Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nInstead, the project officer was given permission by the DFS Director to allow the\nemployees to work prior to approval for project expediency purposes. However,\nthe project officer for a different contract was given a security infraction for the\nsame practice. The DFS Director told OIG he does not view the SCIF scenario\nas warranting an infraction because he approved the contractors to begin work\nprior to DFS review and adjudication and he has the authority to make these\ntypes of decisions. The option for project officers to request exemptions to DFS\nprocedures is not documented in MD 12.3.\n\nMoreover, neither NRC\xe2\x80\x99s contractor security requirements nor the fact that one\ncan receive a security infraction for violating these requirements are clearly\ncommunicated to staff. As evidenced in the above examples, key guidance in\nMD 12.3 is unclear or incomplete. While a DFS staff member has been\nproviding security training for approximately 1\xc2\xbd years to participants in the\nagency\xe2\x80\x99s project officer training courses, the training was not provided during all\nof the sessions conducted during this time period.\n\n       Policy and Procedure Changes Not Always Documented\n\nDFS management officials have made policy and procedure changes without\nformally documenting or providing rationale for those changes. In one example,\na DFS manager instructed adjudicators to stop conducting security assurance\ninterviews that are required by MD 12.3 as a precursor to granting temporary\naccess. The DFS manager advised that routinely holding security assurance\ninterviews with prospective contractor employees was not likely to add value to\nthe temporary access process. This manager said that if a prospective\ncontractor answered questions dishonestly on their security forms, it was unlikely\nthat they would tell the truth during an interview. The manager said that a face-\nto-face interview would be useful only if DFS staff had documentation proving\nthat the contractors\xe2\x80\x99 written answers were inaccurate and that such information\nwas not available during the temporary access phase.\n\nIn contrast, a personnel security official from another Federal agency\nacknowledged the benefits of conducting security interviews in situations where\nthe contractor would be working with sensitive information. This official said the\nbody language and other cues that are seen in a face-to-face interview are\nhighly informative and could help to reveal inaccuracies on a security\nquestionnaire. The official said a decision to conduct this type of interview ought\nto be based on the potential harm that could be caused by a contractor based on\nthe type of work they would perform and their exposure to sensitive information.\nIn addition, information developed during this initial interview could be extremely\nuseful to reference if issues develop during the background investigation.\n\n\n\n\n                                   9\n\x0c                Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nIn a second example, a DFS manager instructed the DFS staff to stop evaluating\nthe financial information of contractors when determining their eligibility for\nbuilding access. Reviewing the credit report information for prospective building\naccess contractors was intended to strengthen the background review performed\non these contractors. In this case, the DFS manager explained that the\nrequirement was preventing too many contractors from being approved. This\nmanager said that many of these individuals had credit problems of varying\ndegrees, and could not be approved to begin work. The manager told OIG that,\nin fact, it was never intended that the adjudicators use the financial information in\nthe credit report for adjudicating contractors for building access. Rather, they\nwere expected to use the report only to determine whether fraud alerts are\nreflected on the report or if there are discrepancies in the social security number,\naddress, or name of the applicant that might suggest fraud. Therefore, the\nmanager instructed staff to stop reviewing the financial information, and to\nreview the credit report only for indicators of fraud. Again, this change was not\ndocumented.\n\nBy making informal policy\nchanges without                    Fraud Examiners Advocate Strong Internal\ndocumenting those                  Controls, Background Investigations\nchanges, NRC increases             In its 2002 Report to the Nation on Occupational Fraud\nthe risk of missing valuable       and Abuse, the Association of Certified Fraud\ninformation during its             Examiners presents results of a survey it conducted of\naccess approval process.           approximately 10,000 certified fraud examiners in the\n                                   United States. As part of the survey, respondents\n                                   were asked, based on their own expertise, which of\n                                   eight measures were most helpful in preventing fraud\n                                   against organizations. Respondents reported that the\n                                   top two most effective anti-fraud measures were, first,\n                                   a strong system of internal controls, and second,\n                                   detailed background checks on new employees.\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1.     Update and clarify MD 12.3 to reflect agency requirements concerning\n       contractors working prior to approval, contractor escort requirements,\n       level of access required to have a LAN account, and contractors working\n       offsite with sensitive information.\n\n2.     Specify in MD 12.3 examples of violations that could warrant a security\n       infraction and administer the security infraction program consistently in\n       accordance with these rules.\n\n3.     Consistently provide materials on personnel security requirements in the\n       project officer training course.\n\n                                  10\n\x0c                     Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n     4.     Develop and implement a plan to communicate on a routine basis directly\n            with all NRC project officers concerning contractor security requirements.\n            The plan should include such elements as mandatory annual refresher\n            training on security requirements for all project officers and e-mail\n            reminders to all project officers concerning the requirements.\n\n     5.     Develop and implement a formal process for granting and documenting\n            exceptions to security requirements and identify who is authorized to\n            grant such exceptions.\n\n     6.     Broaden the use of the credit report information for building access\n            contractors so that information pertaining to financial issues is considered\n            during the adjudication process.\n\n\nB. AGENCY RESPONSE TO IT TEMPORARY ACCESS ISSUE CASES IS NOT\n   TIMELY\n\n     NRC lacks a process for expeditiously resolving final access decisions for IT\n     contractors with temporary access when issues are reflected in the OPM\n     background investigation. This slow response occurs because DFS lacks a\n     process for resolving these cases quickly. NRC emphasizes granting temporary\n     IT access as quickly as possible, while delaying action on final access review,\n     thus permitting contractors with questionable backgrounds to continue working\n     until a final adjudication is made. Furthermore, because NRC does not screen\n     OPM investigation results upon receipt for the significance of the issues that\n     OPM identified, cases that may warrant expedited resolution or immediate action\n     cannot be identified for such treatment. As a result, contractor employees with\n     questionable backgrounds could be permitted to work at NRC, potentially\n     jeopardizing the safety and security of agency employees and information.\n\n     Temporary Access Requirements\n\n     The purpose of NRC\xe2\x80\x99s temporary access program for contractors is not stated in\n     policy, but the program is presumably intended to bring contractors on board\n     quickly without jeopardizing NRC workplace safety or security.\n\n     MD 12.3 states that NRC must follow due process procedures if it seeks to deny\n     final access to a contractor who has been allowed temporary IT access. (There\n     is no due process requirement for denying access to building access\n     contractors.) MD 12.3 also states, \xe2\x80\x9cOn the basis of DFS\xe2\x80\x99s review of the\n     contractor employee\xe2\x80\x99s security forms and/or the receipt of adverse information,\n     the contractor employee may be denied access to NRC sensitive information\n     technology systems and data until a final determination of eligibility for access is\n     made under the provisions of due process.\xe2\x80\x9d MD 12.3 does not state which DFS\n\n\n                                       11\n\x0c                                     Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n                  official is responsible for making this decision to deny access pending due\n                  process procedures.\n\n                  Due process requirements for IT contractors are not described in the Code of\n                  Federal Regulations. While 10 CFR Part 10 requires due process procedures in\n                  connection with suspension or revocation of \xe2\x80\x9caccess authorization\xe2\x80\x9d (i.e., security\n                  clearances), the regulations do not address either the subject of \xe2\x80\x9caccess\xe2\x80\x9d or\n                  \xe2\x80\x9ctemporary access.\xe2\x80\x9d Therefore, the due process requirements for revoking\n                  temporary access stem from MD 12.3 and are not directed by a higher regulatory\n                  or legislative source.\n\n                  Issue Case Resolution is Untimely\n                  Review of DFS\xe2\x80\x99s backlog of OPM investigation results found that NRC\xe2\x80\x99s\n                  personnel security program fails to deal with IT contractor \xe2\x80\x9cissue\xe2\x80\x9d cases in a\n                  timely manner.\n\n                  As of June 2003, DFS had a total of 224 OPM reports that needed review and\n                  adjudication for employees and contractors. Of the 224, 80 were for contractors\n                  already working at NRC with temporary access. Of these 80 OPM reports, 70\n                  had issues, and 39 of these issue cases had been awaiting adjudication for 5\n                  months or more.10 (See table for more details.)\n\n              IT Contractor Issue Cases Awaiting Final Access Determination by\n                                           NRC\n          Time since case returned                          Number of cases\n          from OPM\n          0 to 1 months                                     6\n          1 to 2 months                                     11\n          2 to 3 months                                     7\n          3 to 4 months                                     7\n          5 months to 1 year                                28\n          1 year to 2 years                                 10\n          Over 2 years                                      1\n          Total                                             70\n\n\n         10\n            5 CFR Part 732, \xe2\x80\x9cNational Security Positions,\xe2\x80\x9d which pertains to Federal employees in national security\npositions, requires agencies to adjudicate background investigation results and report to OPM on those results within\n90 days of receiving the background investigation report. This provides a guide as to acceptable/reasonable time\nframes for review.\n\n                                                         12\n\x0c                Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nDFS staff explained that their priority is to get prospective NRC staff and\ncontractors approved for temporary access or access authorization as quickly as\npossible so these individuals can begin working, rather than deal with issue\ncases promptly. A DFS manager explained that while it would be desirable to\ndeal with issue cases sooner, this is not possible given the staff\xe2\x80\x99s workload, the\nconsiderable amount of overtime the staff already work on a regular basis, and\nthe demand by program offices to bring employees and contractors on board\nquickly. DFS staff members commented that the number of special requests\nthey receive to expedite certain cases and other special projects that periodically\narise make it impossible to deal with cases in a first-come, first-served manner.\nThey also explained that most OPM investigation results contain issues\nconcerning those investigated, but that in hindsight they find that the majority of\nissues are minor and, ultimately, mitigated so that final access can be granted.\n\nDFS staff also perceive that there is no quick way to revoke a contractor\xe2\x80\x99s\naccess when derogatory information arises. They said this is because of the\nagency\xe2\x80\x99s requirement that revocation of access cannot be made without\nundergoing required due process procedures. One staff member explained that\nthere is no difference in the due process requirements afforded to IT contractors\nduring either the temporary or final access phase. According to the staff\nmember, preparing the evidence to support these cases is extremely time-\nconsuming and labor-intensive. Another staff member explained that this\nevidence needs to be discussed with the Office of the General Counsel (OGC),\nwhich determines whether NRC can go forward with the case based on the\nevidence. If OGC does not believe the case is supported, DFS will not go\nforward with the case, the staff member explained. (As stated previously, due\nprocess procedures for IT contractors are not required by NRC regulations, but\nare established at the management directive level.)\n\nProcess Is Inadequate\n\nThis slow response to adjudicate contractor issue cases occurs because DFS\nlacks a process for addressing and resolving these cases promptly.\n\nOffice of Administration goals for personnel security emphasize quantity of case\nresolution (i.e., FY 03 performance measure to complete adjudication of 702\nsecurity investigations/ reinvestigations) over the more time consuming aspects\nof the personnel security process such as reviewing and resolving cases with\nissues. Staff work priorities follow suit. For example, DFS staff strive to meet an\nunwritten timeliness goal for reviewing and adjudicating requests for temporary\naccess (1 to 2 weeks to complete their review once paperwork submitted is\ncomplete) for IT and building access contractors. However, they do not have a\ntimeliness goal for reviewing and adjudicating the information that is returned\nfrom OPM in order to make a decision concerning final access.\n\n\n\n\n                                  13\n\x0c                                   Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n                 Furthermore, there is no requirement that issue cases receive an initial\n                 screening to determine the level of risk to the agency that could result from\n                 allowing the contractor to have continued access. DFS staff members said they\n                 try to review the OPM results within a few days of receipt to see whether OPM\n                 has flagged the case as significant. They also said that sometimes they\n                 purposely look for OPM\xe2\x80\x99s response if it pertains to a troublesome case.\n                 However, as part of any initial review, they do not routinely compare the OPM\n                 results to the information used to grant temporary access to determine, for\n                 example, whether there are significant discrepancies. That type of in-depth\n                 review is not made until the DFS staff member decides to focus on a particular\n                 issue case in their backlog in order to close the case.\n\n                 While DFS staff members said they inform their manager about their workload\n                 every 2 weeks, DFS management does not routinely track issue cases from\n                 receipt to resolution.11 Staff members do not routinely report to the manager\n                 about all pending issue cases, but only those on which they are currently working\n                 or have resolved.\n\n                 The due process requirements for IT contractors \xe2\x80\x94 which are perceived by DFS\n                 staff as time consuming and burdensome \xe2\x80\x94 are not required by NRC\n                 regulations. Therefore, NRC\xe2\x80\x99s policy could be modified to one that resolves\n                 issue cases with fewer resources. For example, at the U.S. Department of\n                 State, if employment offers are made prior to completion of the full investigation,\n                 the offers are conditional and contingent on a positive investigation outcome.\n\n                 Security Risk Unaddressed\n\n                 By failing to screen or review issue cases in a timely manner, NRC potentially\n                 allows individuals who may be a security risk to the agency to maintain access to\n                 agency facilities and information. Permitting the cases to remain unaddressed\n                 for months serves, in a sense, as a defacto adjudication without review. NRC\n                 can better protect its information, facilities, and employees by developing a\n                 process to treat issue cases (particularly those which are significant) as priorities\n                 and by adjusting policies that serve as obstacles to timeliness.\n\n                 Recommendations\n\n                 OIG recommends that the Executive Director for Operations:\n\n                 7.       Develop performance measures that assess the timeliness of DFS\xe2\x80\x99s\n                          adjudication of all cases back from OPM and issue cases in particular.\n\n\n\n\n        11\n           Staff inform the manager about the number of cases they are currently working on and the number of\ncases closed.\n\n                                                       14\n\x0c              Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n8.    Screen contractor cases returned from the Office of Personnel\n      Management upon receipt for significance of issues raised and adjudicate\n      those with significant issues on a priority basis.\n\n9.    Deny access to contractors with significant issues unless and until the\n      case is resolved in the contractor\xe2\x80\x99s favor.\n\n10.   Incorporate clauses into NRC contracts specifying that temporary IT\n      access approval for contract employees may be revoked immediately if\n      issues surface during the background investigation that call into question\n      the contractor\xe2\x80\x99s suitability for employment at the agency.\n\n\n\n\n                                15\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                  16\n\x0c                       Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.     Update and clarify MD 12.3 to reflect agency requirements concerning\n               contractors working prior to approval, contractor escort requirements,\n               level of access required to have a LAN account, and contractors working\n               offsite with sensitive information.\n\n        2.     Specify in MD 12.3 examples of violations that could warrant a security\n               infraction and administer the security infraction program consistently in\n               accordance with these rules.\n\n        3.     Consistently provide materials on personnel security requirements in the\n               project officer training course.\n\n        4.     Develop and implement a plan to communicate on a routine basis directly\n               with all NRC project officers concerning contractor security requirements.\n               The plan should include such elements as mandatory annual refresher\n               training on security requirements for all project officers and e-mail\n               reminders to all project officers concerning the requirements.\n\n        5.     Develop and implement a formal process for granting and documenting\n               exceptions to security requirements and identify who is authorized to\n               grant such exceptions.\n\n        6.     Broaden the use of the credit report information for building access\n               contractors so that information pertaining to financial issues is considered\n               during the adjudication process.\n\n        7.     Develop performance measures that assess the timeliness of DFS\xe2\x80\x99s\n               adjudication of all cases back from OPM and issue cases in particular.\n\n        8.     Screen contractor cases returned from the Office of Personnel\n               Management upon receipt for significance of issues raised and adjudicate\n               those with significant issues on a priority basis.\n\n        9.     Deny access to contractors with significant issues unless and until the\n               case is resolved in the contractor\xe2\x80\x99s favor.\n\n        10.    Incorporate clauses into NRC contracts specifying that temporary IT\n               access approval for contract employees may be revoked immediately if\n               issues surface during the background investigation that call into question\n               the contractor\xe2\x80\x99s suitability for employment at the agency.\n\n\n\n\n                                         17\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                  18\n\x0c                      Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\nV. AGENCY COMMENTS\n\n        During an exit conference on September 26, 2003, NRC staff provided\n        comments concerning the draft audit report. We modified the report as we\n        determined appropriate in response to these comments. NRC reviewed these\n        modifications and opted not to submit formal written comments to this final\n        version of the report.\n\n\n\n\n                                        19\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                  20\n\x0c                        Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n                                                                                         Appendix A\nSCOPE AND METHODOLOGY\n\n        This audit reviewed U.S. Nuclear Regulatory Commission (NRC) contractor\n        access policies and practices to determine (1) whether NRC policies for\n        contractor employee access to information and facilities are being implemented\n        and (2) whether the contractor temporary access process meets its goal of\n        expediting contractor employment without jeopardizing NRC safety and security.\n        The audit focused specifically on Information Technology (IT) Level I, IT Level II,\n        and building access contractors working in NRC headquarters and regional\n        office facilities. This audit was performed as part of an overall, ongoing, review\n        of NRC\xe2\x80\x99s personnel security program.\n\n        The Office of the Inspector General (OIG) audit team reviewed relevant criteria\n        such as The Atomic Energy Act of 1954; Title 10, Part 10, of the Code of Federal\n        Regulations, \xe2\x80\x9cCriteria and procedures for determining eligibility for access to\n        restricted data or national security information or an employment clearance\xe2\x80\x9d;\n        Executive Order 12968, \xe2\x80\x9cAccess to Classified Information\xe2\x80\x9d; Management\n        Directive and Handbook (MD) 11.1, \xe2\x80\x9cAcquisition of Supplies and Services\xe2\x80\x9d; MD\n        12.3, \xe2\x80\x9cNRC Personnel Security Program\xe2\x80\x9d; and other agency and Federal\n        documents.\n\n        Auditors interviewed staff in the Division of Facilities and Security (DFS) to better\n        understand the process for granting temporary access and denying final access\n        to IT Level I, IT Level II, and building access contractors; an attorney in the\n        Office of the General Counsel to better understand the agency\xe2\x80\x99s due process\n        requirements for denying final access to IT contractors who were previously\n        granted temporary access; and NRC project officers to determine if contractor\n        policies were implemented in accordance with requirements. Auditors also\n        reviewed the GroupWise address book to determine whether contractors with\n        building access had been assigned LAN accounts. In addition, auditors\n        reviewed personnel security case files for IT contractors to quantify the backlog\n        of cases with issues that are awaiting adjudication for final access by NRC.\n\n        This work was conducted from January 2003 through June 2003, in accordance\n        with generally accepted Government auditing standards and included a review of\n        management controls related to audit objectives. The work was conducted by\n        Vicki Foster, Senior Management Analyst; Judy Gordon, Senior Management\n        Analyst; Beth Serepca, Team Leader; and Rebecca Underhill, Management\n        Analyst.\n\n\n\n\n                                          21\n\x0cReview of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n\n\n\n   [Page intentionally left blank.]\n\n\n\n\n                  22\n\x0c                 Review of NRC\xe2\x80\x99s Personnel Security Program Contractor Policies and Practices\n\n                                                                                  Appendix B\nCONTRACTOR ACCESS APPROVAL PROCESS\n\n\n\n\n                                   23\n\x0c'